• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 234
  • Last Modified:

2003 AD GPO Issues

Hi All,
I need to lock down a TS server running QuickBooks. I created the GPO and applied it to an OU called Secure QuickBooks Servers. Within the GPO I defined the required setting including Loopback Processing. The problem I am having is that I have only the QB server computer object in the OU. I also created 2 test accounts for verification. I also have a group call QuickBooks Users which I use for security filtering on the GPO; I have removed the Authenticated Users group.  The GPO will not apply without me adding the test user accounts to the Secure QuickBooks Servers OU which is not an option given that the Policy will then be applied to the user desktops as well ( I think). Is there a way for me to apply the Secure Terminal Server GPO only to the users logging on to the QuickBooks Server, without affecting the administrator or the users desktop environments?

Thank you in advance!


0
kbabbing
Asked:
kbabbing
  • 5
  • 4
1 Solution
 
Cláudio RodriguesCommented:
1. On the QuickBooks Server OU you must have the TS (I assume your QuickBooks server) ONLY.
2. The Policy you will create will apply to the QuickBook Users AND to the TS Computer object (your QuickBooks Server).
3. Loopback Processing mode should be enabled and set to replace.

This will do what you want that is to have the policy applied to these users only when they logon to the TS (QuickBooks Server).

Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 
kbabbingAuthor Commented:
The problem I am having is that the GPO only applies when the Users and Computer Object reside in the same OU. If I move the test users out of the OU and leave only the Computer object the GPO does not apply. When I run RSOP through GPMC I get all Successes under Component Status but it does end up listed under the Denied GOPs with a reason of Inaccessible.
0
 
Cláudio RodriguesCommented:
On the security you must make sure the policy applies to the Computer object AND to the QuickBooks User group.
Is this how you setup it?

Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Cláudio RodriguesCommented:
Read this as well.
http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html

Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 
kbabbingAuthor Commented:
I do have the security set that way.
Computer Object Read\Apply and The QuickBooks Users Group Read\Apply
0
 
kbabbingAuthor Commented:
The Computer Object is one OU and the Users are in another OU
0
 
Cláudio RodriguesCommented:
And the GPO is created at the OU where the Computers are, correct?

Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 
kbabbingAuthor Commented:
The GPO is applied\linked at the Secure QuickBooks Server OU which when working has the 2 test accounts and the Computer Object within.   When I move the User accounts into a different OU the GPO will not apply. All security filtering has been confirmed per your request.
0
 
kbabbingAuthor Commented:
Thank you I have found the problem. I over looked the fact that I did not have the Group in the same OU as the Computer object. Rookie mistake... You were very helpful!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now